It's nearly a year since the GDPR and Data Protection Act 2018 (DPA 2018) came into force. It's hard to believe that, one year on, we are still awaiting many guidance publications from the Information Commissioner's Office (ICO), but with organisations – hopefully – clued up on the majority of legal obligations and changes from the previous regime, we take a look at one area that organisations and employers are grappling with in increasing numbers: Data Subject Access Requests.
Individuals (data subjects) have the right to access their personal data, find out why it is being used and any supplementary information through making a Subject Access Request (SARs). These are not new under the GDPR or DPA 2018, but there are certain important changes which organisations and employers must not be caught out by. Individuals also have additional new rights regarding how their personal data should be treated. Three key changes are:
- Under the DPA 1998, a £10 fee was chargeable to the individual, but an organisation can no longer make a charge unless a request is “manifestly unfounded or excessive, in particular because of its repetitive character”. Then, organisations can charge a “reasonable fee” taking into account the administrative costs of providing the information or may refuse to act altogether. This could discourage very onerous SARs, but as yet there is no guidance on what is “manifestly unfounded” or “excessive”. It is for the organisation or employer to show that the request is "manifestly unfounded" or "excessive", so it would be risky to rely on it unless it is a very extreme case.
- Previously, an organisation had up to 40 days to respond to a SAR but, under the GDPR, organisations must respond without undue delay and in any event within one month. There is the potential for an extension of an additional two months if the request is particularly complex or there are numerous requests. If time is extended the organisation must inform the individual of this and provide reasons. The one month deadline starts from the time the organisation has received the request together with any information it needs to verify the identity of the individual making the request (which it must ask for as soon as possible).
- The SAR no longer has to be made in writing. This means a request could be made verbally, on the phone, or via social media, to any person in your organisation. It does not even have to use the words "subject access request" – it just has to be clear that the individual is seeking their own personal data.
It is therefore vital that every person in an organisation knows how to recognise a SAR and what to do with it. From an employer's perspective, this will mean training not only Data Protection and Compliance teams and HR departments, but also managers and anyone else who might receive such a request from a current or former member of staff. They will also need to know what information needs to be provided, since they might be storing information that is not accessible or retrievable by an organisation's data searches.
Many employers will have in place a specific policy for dealing with subject access requests or the process may be set out instead in a Data Protection Policy. They may also have a suite of template letters dealing with the process such as a letter of acknowledgement after receiving the request and a more detailed letter in response to the request.
A company responding to a SAR must produce copies of the information it holds in permanent and intelligible form, that is, understandable to the average person. Usually it will provide the information electronically unless asked otherwise.
In many cases the individual may simply want to know what data is stored about them, whether it is accurate and perhaps ask for some or all of the data to be erased or object to the processing. (Note that employers are unlikely to be able to comply with most requests for erasure or objection to processing, which is one of the reasons why an employer should not rely on consent to process the personal data of staff).
However, it is becoming increasingly common for current or former members of staff to ask for personal data in preparation for or as part of an Employment Tribunal claim about, for example, a dismissal or treatment which is alleged to be discriminatory. Employment Tribunal claims have risen sharply since 2017 when Employment Tribunal Fees were ruled unlawful by the Supreme Court. Organisations should also remember that SARs can be raised by individuals who are not members of staff but who are contemplating or conducting litigation.
How should an employer respond to a SAR?
First, the organisation will need to go through the exercise of extracting all data it has relating to the individual. There is no easy way to do this, although some organisations will have more sophisticated search methods than others.
For an employee or ex-employee, this could produce hundreds or even thousands of documents. It is possible to ask the individual for more information to clarify their request, but if they refuse to narrow it down or do not respond, you must still endeavour to respond to their original request.
However, individuals are not entitled to all and any information about themselves. Before any data is disclosed, the employer needs to go through a sifting process and ask itself a number of important questions about each piece of data, such as:
- Can you identify a living individual from this data (even if it has to be read with another document)? Genuinely anonymised documents may not contain personal data.
- Is the content directly about the individual or their activities? A group email from HR to all staff with Christmas closure dates is unlikely to contain personal data.
- What is the purpose for keeping the data? If it is not in order to keep records about that individual or make decisions about them it may not be personal data. The ICO gives the example of data held to monitor the efficiency of a piece of machinery, rather than any data held about the employees operating it.
- Does an exemption apply? For example, is the information covered by legal privilege or does the exemption for confidential references apply? Under the old regime this only used to cover an SAR made to the giver of a confidential employment reference, but now employers who are either giving or receiving confidential references can rely on an exemption under the DPA 2018.
- Does the data identify other individuals? Particular care needs to be taken care here in dealing with such data and our advice should be sought. In essence there is a balancing act to be struck if other individuals have not given consent for that data to be disclosed.